Abstract

Due to the outbreak of the new crown epidemic, more companies prefer to use telecommuting for work, which also provides more attack surfaces for APT attacks. After initially gaining access to the intranet, attackers will use server message block (SMB), RDP, and other remote sharing or connection protocols to move horizontally to achieve the purpose of privilege escalation. In this work, we design a multidimensional detection framework to detect lateral movement behavior based on the SMB protocol in the intranet environment. This framework combines active trapping and passive scanning, and uses neural networks to determine the attack samples used by the adversary when moving laterally. We test the effectiveness of the active trapping technology in a simulation environment, and verify through real malware samples that the accuracy of neural network detection can reach about 90%. The experimental results show that our work can effectively detect the lateral movement behavior using the SMB protocol in the intranet environment.